The Microsoft Malware Protection Center has been tracking a recent 0-day vulnerability for Microsoft Internet Explorer very closely after it was found in the wild in early November, apparently being used in targeted attack attempts. As public exploit code became available and attackers began integrating the code into their toolkits, we continued to closely monitor the attack attempt patterns through the coverage (Exploit:Win32/CVE-2010-3962
) provided to customers.
The attack patterns for this vulnerability have been somewhat unusual. The Friday after we began our tracking effort, we saw our first spike in activity, predominantly targeting users in Korea, and secondarily attempting to exploit users in China. Although attacks in China trended down over subsequent weeks, we continued to see weekend-related spikes in Korea. However, after the second weekend spike, even these attack attempts continued to trend down, revealing a smaller number of attack attempts each coming weekend. The following chart shows the geo-location of computers reporting the attack attempt along with the “trending down” effect we’ve seen.